Editor’s Note: Organizations relying on secrecy-based approaches to addressing potential cyber defense breaches may run afoul of the federal cybersecurity policies that are detailed in a growing number of regulatory and guidance documents. A more sophisticated approach to minimizing disclosure responsibilities by proactively managing cyber-risks is needed.

When Nationwide Mutual Insurance Co. discovered in October that a hacker had breached its systems and stolen personal details of roughly one million people, it put the internal probe in the hands of a law firm, rather than one of the forensic investigators typically retained for such incidents.

The latest cyberattacks on U.S. financial institutions are aggressive campaigns with sophisticated software and powerful tactics. A string of attacks started in September and sent dozens of U.S. banks offline. The attacks cost millions of dollars, but they also presented new elements of destructive potential. According to a March 29 article in the New York Times, the attacks have escalated from denial of service and data theft to actual data destruction. There are also rising concerns that foreign governments are behind the attacks.

The Army CIO has failed so far to implement an effective cybersecurity program for commercial mobile devices (CMDs), and until the service does so its networks will remain vulnerable to cyberattack and possible leaks of sensitive data, according to a report from the Defense Department’s Inspector General.

The DOD IG study sought to determine whether the Army had an effective cybersecurity program that was capable of identifying and mitigating risks around CMDs and removable media. During site inspections, IG officials sought to verify whether Army officials were properly tracking, configuring and sanitizing CMDs.

I wonder how much space in the president’s daily brief, perhaps the government’s most secret compendium of global threats, is devoted these days to cyberattacks. The Internet affords the weak power to attack the strong. North Korea, Iran and al-Qaeda fit into this category with their disruption of financial-services Web sites. And cyberespionage is also a tool of China, which has used it to probe and steal information from leading U.S. corporations and news organizations.

A new formula that characterizes the privacy afforded by large, aggregate data sets may be discouraging, but could help sharpen policy discussion.

Larry Hardesty

The proliferation of sensor-studded cellphones could lead to a wealth of data with socially useful applications — in urban planning, epidemiology, operations research and emergency preparedness, among other things. Of course, before being released to researchers, the data would have to be stripped of identifying information. But how hard could it be to protect the identity of one unnamed cellphone user in a data set of hundreds of thousands or even millions?